A database management system (“DBMS”) manages a database. A database management system may comprise one or more database servers. A database comprises database data and metadata that is stored on a persistent memory mechanism, such as a set of hard disks. Database data may be stored in one or more data containers. Each container contains records. The data within each record is organized into one or more fields. In relational database management systems, the data containers are referred to as tables, the records are referred to as rows, and the fields are referred to as columns. In object-oriented databases, the data containers are referred to as object classes, the records are referred to as objects, and the fields are referred to as attributes. Other database architectures may use other terminology.
Database servers manage resources. Such resources may include, for example, data containers such as tables or object classes, or the records stored within the data containers. Other resources include files and directories that store such files. Yet other resources may include functions, and the execution of functions. Although specific resources are described herein as examples, database servers manage numerous other resources, and resources are not limited to the resources explicitly described herein.
Database servers control access to resources, limiting access to such resources to only authorized users. Database applications specify access control policies on such resources by stating, in an access control list (ACL), what privileges users are granted. The database applications may specify that a certain user or role is granted or denied a privilege. However, multiple access control lists may protect the same resource, with some ACLs granting a privilege, and other ACLs denying the same privilege. To determine whether to grant the user the privilege, a database server performs access resolution. For access resolution, the database server examines at least some of the ACLs, and, based on the semantics of the application, make a determination whether the privilege is denied or granted. However, to process a large number of ACLs that protect a resource is inefficient, because there may be many tens of thousands of ACLs. Processing thousands of ACLs each time a user requests grant of a privilege wastes processing time, and delays access to data for users.
The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.